Description
Corepack's verifySignature function fails with No compatible signature found in package metadata when the npm registry (JFrog Artifactory) returns dist.signatures on the package root endpoint (/<package>) but strips them from the version-specific endpoint (/<package>/<version>).
This is related to #725, but this issue specifically proposes a client-side improvement rather than waiting for the registry to fix the bug.
Reproduction
When using JFrog Artifactory as an npm registry proxy, querying the same instance for npm@11.9.0:
Version endpoint (/npm/11.9.0) — signatures missing:
{
"dist": {
"tarball": "https://artifactory.example.com/api/npm/npm/npm/-/npm-11.9.0.tgz",
"shasum": "8cc4bc499c7ab52f1113985acc725572f99885b3",
"integrity": "sha512-BBZoU926FCypj4b7V7ElinxsWcy4Kss88UG3ejFYmKyq7Uc5XnT34Me2nEhgCOaL5qY4HvGu5aI92C4OYd7NaA=="
}
}Package root (/npm) — signatures present under versions.11.9.0.dist:
{
"dist": {
"tarball": "https://artifactory.example.com/api/npm/npm/npm/-/npm-11.9.0.tgz",
"shasum": "8cc4bc499c7ab52f1113985acc725572f99885b3",
"integrity": "sha512-BBZoU926FCypj4b7V7ElinxsWcy4Kss88UG3ejFYmKyq7Uc5XnT34Me2nEhgCOaL5qY4HvGu5aI92C4OYd7NaA==",
"signatures": [
{
"keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U",
"sig": "MEYCIQDTmejdAqE595yfEUJRrlNycmMtxUF2lbvc/2QUeacijAIhAORmTS/8EYpasfsO8aeAiFGQpWBJizpwHaWezlVr76av"
}
]
}
}The signatures exist in the registry — Artifactory just doesn't include them when serving individual version metadata.
Error
Internal Error: No compatible signature found in package metadata
at verifySignature (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:21999:63)
at installVersion (/usr/lib/node_modules/corepack/dist/lib/corepack.cjs:22414:7)
Impact
This breaks any CI/CD system using corepack through a JFrog Artifactory npm proxy, including GitHub Dependabot (see dependabot/dependabot-core#14612).
Suggested improvement
When verifySignature fails to find signatures on the version-specific endpoint, corepack could fall back to the package root endpoint to retrieve signatures before failing. The package root request is heavier (returns all versions), but it would only be used as a fallback when the version endpoint is missing signatures.
Alternatively, corepack could treat missing signatures from a registry that provides signing keys as a warning rather than a fatal error, similar to how npm audit signatures handles it.
Environment
- Corepack version: bundled with Node.js (as used by
github/dependabot-action)
- Registry: JFrog Artifactory 7.133.6 (self-hosted) proxying
registry.npmjs.org
- Affected package: any package resolved through Artifactory (e.g.,
npm@11.9.0)
Related
Description
Corepack's
verifySignaturefunction fails withNo compatible signature found in package metadatawhen the npm registry (JFrog Artifactory) returnsdist.signatureson the package root endpoint (/<package>) but strips them from the version-specific endpoint (/<package>/<version>).This is related to #725, but this issue specifically proposes a client-side improvement rather than waiting for the registry to fix the bug.
Reproduction
When using JFrog Artifactory as an npm registry proxy, querying the same instance for
npm@11.9.0:Version endpoint (
/npm/11.9.0) — signatures missing:{ "dist": { "tarball": "https://artifactory.example.com/api/npm/npm/npm/-/npm-11.9.0.tgz", "shasum": "8cc4bc499c7ab52f1113985acc725572f99885b3", "integrity": "sha512-BBZoU926FCypj4b7V7ElinxsWcy4Kss88UG3ejFYmKyq7Uc5XnT34Me2nEhgCOaL5qY4HvGu5aI92C4OYd7NaA==" } }Package root (
/npm) — signatures present underversions.11.9.0.dist:{ "dist": { "tarball": "https://artifactory.example.com/api/npm/npm/npm/-/npm-11.9.0.tgz", "shasum": "8cc4bc499c7ab52f1113985acc725572f99885b3", "integrity": "sha512-BBZoU926FCypj4b7V7ElinxsWcy4Kss88UG3ejFYmKyq7Uc5XnT34Me2nEhgCOaL5qY4HvGu5aI92C4OYd7NaA==", "signatures": [ { "keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U", "sig": "MEYCIQDTmejdAqE595yfEUJRrlNycmMtxUF2lbvc/2QUeacijAIhAORmTS/8EYpasfsO8aeAiFGQpWBJizpwHaWezlVr76av" } ] } }The signatures exist in the registry — Artifactory just doesn't include them when serving individual version metadata.
Error
Impact
This breaks any CI/CD system using corepack through a JFrog Artifactory npm proxy, including GitHub Dependabot (see dependabot/dependabot-core#14612).
Suggested improvement
When
verifySignaturefails to find signatures on the version-specific endpoint, corepack could fall back to the package root endpoint to retrieve signatures before failing. The package root request is heavier (returns all versions), but it would only be used as a fallback when the version endpoint is missing signatures.Alternatively, corepack could treat missing signatures from a registry that provides signing keys as a warning rather than a fatal error, similar to how
npm audit signatureshandles it.Environment
github/dependabot-action)registry.npmjs.orgnpm@11.9.0)Related
COREPACK_NPM_REGISTRYthat does not return signatures (Artifactory)